The vulnerabilities, dubbed "ZombieLoad" by the researchers who discovered them, could be used to steal sensitive data from affected systems.

Intel refers to the vulnerabilities as microarchitectural data sampling, or MDS, which can be exploited by attackers to access data being used not just by applications, but also containers and virtual machines.

"MDS may allow a malicious user who can locally execute code on a system to infer the values of protected data otherwise protected by architectural mechanisms," Intel says in a technical deep dive.

Users of Android, Chrome, iOS, Linux, MacOS and Windows operating systems, among others, are potentially at risk. Numerous operating system vendors have begun shipping patches, and Intel has also begun to release microcode updates.

Security experts say the patches will help prevent the vulnerabilities from being exploited, but that the only way to fully block attacks outright is to disable hyperthreading, Intel's implementation of simultaneous multithreading that improves a CPU's power and performance by giving it the ability to perform multiple tasks at the same time.

Intel says that disabling hyperthreading may reduce processor performance by up to 9 percent, particularly in some cloud environments.

Data-Sampling Attack Risk

ZombieLoad was discovered and reported by Michael Schwarz, Moritz Lipp and Daniel Gruss at Austria's Graz University of Technology, together with Jo Van Bulck at Belgium's KU Leuven, who have created a website devoted to the vulnerabilities and published a research paper.

"ZombieLoad is a novel category of side-channel attacks which we refer to as data-sampling attack," the researchers say in a Tuesday blog post. "While programs normally only see their own data, a malicious program can exploit the fill buffers to get hold of secrets currently processed by other running programs. These secrets can be user-level secrets, such as browser history, website content, user keys, and passwords, or system-level secrets, such as disk encryption keys."

The researchers say any "modern Intel Core or Xeon CPU" released from 2011 onward is likely vulnerable.

The researchers who discovered the vulnerabilities published this proof-of-concept demonstration showing how an unprivileged attacker - who has the ability to execute code on a system - can reconstruct URLs being visited in Firefox.

Life After Spectre and Meltdown

The ZombieLoad research follows January 2018 warnings over Spectre and Meltdown. Both are flaws in predictive computing, a concept that dates from 1967 but which wasn't put into practice until the 1990s. Since then, the technique has been used to increase the speed of computers in a manner that is built into CPU hardware, including chips manufactured by Intel, AMD and ARM.

The discovery of new CPU flaw isn't surprising, given that researchers have continued to pummel modern processors looking for more vulnerabilities (see: Expect More Cybersecurity 'Meltdowns').

Intel Says It Discovered Flaws

Security experts say MDS can be used to target three different microprocessor structures:

"Microcode patches are available for the store buffer attack, but to fully protect against the fill buffer and load port variants, IT administrators must disable Intel Hyper-Threading," Red Hat says.

Whether the ZombieLand vulnerabilities have been exploited in the wild remains unknown.

Intel says that attempting to use MDS methods to infer data would likely be difficult and potentially time-consuming. "Malicious actors may need to collect significant amounts of data and analyze it to locate any protected data," it says.

Intel told Wired that its own researchers discovered the MDS vulnerabilities last year. The processor manufacturing giant on Tuesday began shipping microcode updates designed to block these vulnerabilities from being exploited by clearing data from CPUs more quickly. Some current processors already have built-in mitigations.

"Some current processors and future processors will have microarchitectural data sampling methods mitigated in the hardware," Intel says. "For processors that are affected, the mitigation for microarchitectural data sampling issues includes overwriting store buffers, fill buffers, and load ports before transitioning to possibly less-privileged code."

Vendors Push Patches

Microsoft on Tuesday released software updates to mitigate the vulnerabilities. "To get all available protections, firmware (microcode) and software updates are required," Microsoft says. "This may include microcode from device OEMs. In some cases, installing these updates will have a performance impact. We have also acted to secure our cloud services."

So far, however, patches for some versions of Windows 10, Windows Server and Windows Server 2019 have yet to ship.

Amazon and Google say they've already applied patches in their cloud environments, while Apple included fixes as part of recent Mojave (10.14) and Safari updates and Red Hat and VMware pushed updates.

Google says it has opted against trying to mitigate MDS vulnerabilities in Chrome and advises users to use OS-level mitigations.

The researchers who discovered the flaws say that there are multiple ways to partially mitigate the risk that the vulnerabilities can be exploited.

"The safest workaround to prevent this extremely powerful attack is running trusted and untrusted applications on different physical machines," they say. "If this is not feasible in given contexts, disabling hyperthreading completely represents the safest mitigation. This does not, however, close the door on attacks on system call return paths that leak data from kernel space to user space."

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.